[Koha-bugs] [Bug 20397] Implement Content Security Policy
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Apr 4 22:36:29 CEST 2022
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #8 from Katrin Fischer <katrin.fischer at bsz-bw.de> ---
New to the topic, so I hope what I gathered from reading documentation is about
right:
"Aiming for default-src https: is a great first goal, as it disables inline
code and requires https.
For existing websites with large codebases that would require too much work to
disable inline scripts, default-src https: 'unsafe-inline' is still helpful, as
it keeps resources from being accidentally loaded over http. However, it does
not provide any XSS protection."
I think disabling all inline script would cause quite a lot of side effects at
this point in time. I believe, we do still have page specific JS.
Maybe we should start with default-src https: 'unsafe-inline' ?
Content-Security-Policy-Report-Only might also be useful to get a better idea
of the work that needs to be done.
We'd also definitely need a solution for OpacUserJs and it needs to be
something that doesn't require anything server side to be triggered manually as
a lot of libraries don't have easy access.
I know we have some use cases where we load external Javascript libraries for
tracking, cookie banners and catalog enrichment. Would we need to be able to
set script-src in configuration in order to keep that working?
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list